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DETAILED ACTION 

1. Claims 1-11, 13, 15-17, 19-22 are pending. 

2. Amendment filed 10/07/2005 with a request for continued 
examination has been received and considered. 

Claim Rejections - 35 USC §112 

3. The rejection of claim 22 under the first paragraph of 35 
U.S.C. 112 has been withdrawn because claim 22 has been 
canceled. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which 
forms the basis for all obviousness rejections set forth in this 
Office action: 

(a) A patent may not be obtained though the invention is not identically 
disclosed or described as set forth in section 102 of this title, if the 
differences between the subject matter sought to be patented and the prior 
art are such that the subject matter as a whole would have been obvious at 
the time the invention was made to a person having ordinary skill in the 
art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

5. Claims 1-2, 10-21 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over I'Anson et al (EPO 0474932), further in 
view of Sweitzer et al (US 6535551), and further in view of 
Shanklin et al (US 6487666) . 
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As per claims 1, and 19-21, I'Anson discloses identifying 
at least two valid states associated with the network protocol 
in which a first host system communicating with a second host 
system using the network protocol may be placed; defining at 
least one valid transition between a first state of the at least 
two valid states and a second state of the at least two valid 
states; determining that a connection under the network protocol 
is in the first state; analyzing the stream based at least in 
part on the determination that the connection under the network 
protocol is in a first state to determine whether the packet is 
associated with the at least one valid transition (see p. 3 
lines 22-39 and p. 4 lines 27-49). 

I'Anson fails to disclose defining an invalid state 
associated with the network protocol and expressing the at least 
one valid transition and the invalid transition in the form of a 
regular expression and using the regular expression to analyze 
the network protocol stream. 

However, Sweitzer et al teaches the use of an invalid state 
(see column 9 line 63 through column 10 line 23) and Shanklin et 
al teaches the use of regular expressions (see column 6 lines 
39-57) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use the invalid state 
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of Sweitzer et al and Shanklin et al's regular expressions to 
analyze the protocol of I'Anson. 

Motivation to do so would have been to handle errors and to 
recognize and evaluate identifiers, special symbols, or other 
tokens . 

As per claim 2, the modified I'Anson, Shanklin et al and 
Sweitzer et al system discloses compiling the regular expression 
into computer code (see Shanklin et al column 6 lines 39-57) . 

As per claims 10-11, the modified I'Anson, Shanklin et al 
and Sweitzer et al system discloses keeping track of which of 
the at least two states the first host system currently is in 
and changing the tracked state of the first host system from the 
first of the at least two states to the second of the at least 
two states in the event the analysis of the network protocol 
stream indicates the at least one valid transition has taken 
place (see I'Anson p. 4 lines 27-49). 

As per claim 13, the modified I'Anson, Shanklin et al and 
Sweitzer et al system discloses the invalid transition indicates 
that a security-related event has taken or is taking place and 
defining a further state corresponding to the invalid operation 
(see p. 4 lines 18-26 where the security related event is the 
intrusion of Shanklin et al as applied with Sweitzer) . 
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As per claims 15-17, the modified I'Anson, Shanklin et al 
and Sweitzer et al system discloses keeping track of which 
state, from the set comprising the at least two states and the 
further state, the first host system currently is in; and 
changing the state of the first host system to the further state 
in the event that the analysis of the network protocol stream 
indicates the invalid operation has taken place and in the event 
that the analysis of the network protocol stream indicates the 
invalid operation has taken place, an indication that the 
invalid operation has taken place then discontinuing analysis of 
the network protocol stream once the state of the first host 
system has been changed to the further state (see I 'Anson page 
4) . 

6. Claims 3-4 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson, Shanklin et al and 
Sweitzer et al system as applied to claim 2 above, and further 
in view of Wijendran (AWK-to-C Translator) . 

As per claims 3-4, the modified I'Anson, Shanklin et al and 
Sweitzer et al system fails to disclose the use of optimal C 
programming language code. 

However, Wijendran teaches this optical C code (see page 

1) . 
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At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Wijendran's optical 
C code in the modified I'Anson, Shanklin et al and Sweitzer et 
al system. 

Motivation to do so would have been to maximize runtime 
performance (see page 1). 

7. Claim 5 is rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson, Shanklin et al and 
Sweitzer et al system as applied to claim 2 above, and further 
in view of Mangione-Smith (How many vector registers are 
useful?) . 

As per claim 5, the modified I'Anson, Shanklin et al and 
Sweitzer et al system fails to disclose the use of nearly 
optimal computer code. 

However, Mangione-Smith teaches nearly optical code (see 
page 1) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Mangione-Smith' s 
nearly optical code in the modified I'Anson, Shanklin et al and 
Sweitzer et al system. 

Motivation to do so would have been that nearly optimal 
code requires less vector registers (see page 1). 
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8. Claims 6-9 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over t the modified I'Anson, Shanklin et al and 
Sweitzer et al system as applied to claim 1 above, and further 
in view of Blam (US 6467041) . 

As per claim 6, the modified I'Anson, Shanklin et al and 
Sweitzer et al system fails to disclose copying the stream to a 
third party to be analyzed. 

However, Blam teaches a third party analyzer (see column 6 
lines 5-29) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Blam' s third party 
analyzer to analyze the protocol analyzer of the modified 
I'Anson, Shanklin et al and Sweitzer et al system. 

Motivation to do so would have been to perform the analysis 
regardless of what resources are on the network or client (see 
column 6 lines 5-29) . 

As per claims 7-9, the modified I'Anson, Shanklin et al, 
Sweitzer et al, and Blam system discloses the network protocol 
stream comprises packets of data, each packet being associated 
with a sequence number indicating its position relative to other 
packets in the protocol stream, and the third system reassembles 
the packets into the order indicated by the respective sequence 
numbers of the packets received where a copy of the network 
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protocol stream is maintained in the third system until analysis 
has been completed and in the event the packets are received by 
the third system in sequence number order, a copy is maintained 
in the third system only of those packets comprising the portion 
of the network protocol currently under analysis (see I'Anson 
pages 4-5 and Blam column 6 lines 5-29) . 

Response to Arguments 

9. Applicant's arguments with respect to claims 1-11, 13, 15- 
17, and 19-22 have been considered but are moot in view of the 
new ground(s) of rejection. 

Conclusion 

10. The prior art made of record and not relied upon is 
considered pertinent to applicant's disclosure. Keller (US 
6292467) teaches transitions into invalid states; as does "User- 
land states" which does not qualify as prior art. 

Any inquiry concerning this communication or earlier 
communications from the examiner should be directed to Michael 
Pyzocha whose telephone number is (571) 272-3875. The examiner 
can normally be reached on 7:00am - 4:30pm first Fridays of the 
bi-week off. 
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If attempts to reach the examiner by telephone are 
unsuccessful, the examiner's supervisor, Emmanuel Moise can be 
reached on (571) 272-38655. The fax phone number for the 
organization where this application or proceeding is assigned is 
703-872-9306. 

Information regarding the status of an application may be 
obtained from the Patent Application Information Retrieval 
(PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free) . 
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EMMANUEL L MOISE 
SUPERVISORY PATENT EXAMINER 



